Re: How to report a Vulnerability to a Company

From: krymson@gmail.com
Date: Wed Jan 09 2008 - 17:37:21 EST


('binary' encoding is not supported, stored as-is) Before you go the anonymous route, think about how truly anonymous you are. If you report a vulnerability to the company, and they (rightly) decide to scan their logs to see if someone has exploited that vulnerability, they may come across you in the logs. Since they don't know you, this might trigger an incident response process. If the exploit is big enough and the process continued enough, they might pursue you and disclose to their customers before they realize it was just you. Hopefully if you go this route, you did your "testing" from a non-identifiable Internet connection.

(Note: I'm not condoning "testing" sites from an anonymous account, but the grey hat in me says that if you do decide to go this dubious route, do so with some foresight and use someone else's box/connection, whether that be a wifi hotspot, proxy, or ssh tunnel...)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT